Fortinet patches critical FortiSIEM vulnerability allowing code execution

Fortinet has released critical security updates for its FortiSIEM product to address a severe OS injection vulnerability, CVE-2025-64155, which carries a CVSS score of 9.4. This flaw could enable an unauthenticated attacker to execute arbitrary code on vulnerable systems, according to a recent report by The Hacker News.

The vulnerability, discovered by Zach Hanley of Horizon3.ai, resides in the phMonitor service, which handles logging security events. An attacker can exploit an argument injection flaw via crafted TCP requests to the phMonitor service on port 7900. This allows for arbitrary file writes as an admin user, which can then be weaponized to overwrite a cron job file with a reverse shell. This escalation grants root access, leading to a complete compromise of the appliance. The vulnerability specifically impacts Super and Worker nodes across several FortiSIEM versions, including 6.7.0 through 7.4.0. Fortinet has also addressed a separate critical flaw in FortiFone (CVE-2025-47855) that allowed configuration data retrieval.

Organizations using FortiSIEM are strongly advised to update to the fixed versions immediately. As a temporary workaround, Fortinet recommends limiting access to the phMonitor port (7900).

Source: The Hacker News